diff --git a/admin/securedrop_admin/__init__.py b/admin/securedrop_admin/__init__.py index 9537835cd0..f555c190df 100755 --- a/admin/securedrop_admin/__init__.py +++ b/admin/securedrop_admin/__init__.py @@ -446,6 +446,25 @@ def update_config(self): self.save() self.validate_gpg_keys() self.validate_journalist_alert_email() + self.validate_https_and_v3() + return True + + def validate_https_and_v3(self): + """ + Checks if https is enabled with v3 onion service. + + :returns: False if both v3 and https enabled, True otherwise. + """ + warning_msg = ("You have configured HTTPS on your source interface " + "and v3 onion services. " + "IMPORTANT: Ensure that you update your certificate " + "to include your v3 source URL before advertising " + "it to sources! ") + + if self.config.get("v3_onion_services", False) and \ + self.config.get("securedrop_app_https_certificate_cert_src"): + print(warning_msg) + return False return True def check_for_v2_onion(self): diff --git a/admin/tests/test_securedrop-admin.py b/admin/tests/test_securedrop-admin.py index c568f5ca0c..7a876c1c44 100644 --- a/admin/tests/test_securedrop-admin.py +++ b/admin/tests/test_securedrop-admin.py @@ -1042,3 +1042,22 @@ def test_find_or_generate_new_torv3_keys_subsequent_run(tmpdir, capsys): v3_onion_service_keys = json.load(f) assert v3_onion_service_keys == old_keys + + +def test_v3_and_https_cert_message(tmpdir, capsys): + args = argparse.Namespace(site_config='UNKNOWN', + ansible_path='tests/files', + app_path=dirname(__file__)) + site_config = securedrop_admin.SiteConfig(args) + site_config.config = {"v3_onion_services": False, + "securedrop_app_https_certificate_cert_src": "ab.crt"} # noqa: E501 + # This should return True as v3 is not setup + assert site_config.validate_https_and_v3() + + # This should return False as v3 and https are both setup + site_config.config.update({"v3_onion_services": True}) + assert not site_config.validate_https_and_v3() + + # This should return True as https is not setup + site_config.config.update({"securedrop_app_https_certificate_cert_src": ""}) # noqa: E501 + assert site_config.validate_https_and_v3()